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Date = 12/02/20 
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13:53:51 
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time 4,32 


new case 


ICO consultation on the draft right of access 
guidance 


Q1 


Does the draft guidance cover the relevant issues about the right of access? 
© Yes 
©) No 

©) Unsure / don't know 

If no or unsure/don’t know, what other issues would you like to be covered in it? 


Q2 


Does the draft guidance contain the right level of detail? 
O) Yes 


© No 


©) Unsure / don't know 


If no or unsure/don't know, in what areas should there be more detail within the draft 
guidance? 


The draft guidance does not cover what is meant by “reasonable to disclose” sufficiently. Since 
reasonableness is a variable concept, | think the “What should we do if the request involves information 
about other individuals?” in step 2 (“is it reasonable to disclose without consent?”) should be much more 
informative. When dealing with requests, my colleagues and | differentiate between those in a senior 
position and those in junior positions when deciding if the information is disclosable. For instance, if you 
have a more junior position, and you are not expressing information in a professional capacity, you have 
a greater expectation of privacy. For those in more senior positions, statements made by virtue their 
senior role in correspondence which is held by the organisation, may have a greater impact on the data 
subject than the more junior staff members. In which case, we think this should be disclosed (left 
unredacted) because the data subject has a greater interest in learning that information as it will have 
impacted them professionally. The guidance should have more practical guidance on how to treat various 
position holders within organisations and whether this would change the presumption of reasonableness. 
This is somewhat covered for health and social workers in Schedule 2 of the DPA 2018, but | think it 
needs to be interpreted for a more corporate work space. Furthermore, we have encountered many 
occasions where a junior employee has expressed an opinion in an email or some form of 
correspondence. Since the opinion is personal data in itself (correct me if I’m wrong), would the opinion 
need to be redacted or the identity of the third party who expressed the opinion? Should 
disproportionate effort ever be included in a consideration of reasonableness? If the third party in the 
DSAR results is mentioned a significant number of times, but is perhaps not particularly integral to the 
requester’s information and is more junior in the organisation, can the fact that the amount of time that 
would be spent to ensure their privacy is protected be a persuading factor in leaving their name 
unredacted? The guidance does explain the basic principles of legal and litigation privilege, but it takes 
further research to fully understand how these concepts work in practice. The prejudicial aspect of 
litigation privilege has proved to be a difficulty for my colleagues and | in the past. The ICO should 
provide further guidance on the time periods necessary to consider when applying this exemption 
because litigation could be started at any time by any interested party. Disclosure of certain information 
may inform a letter before action. Litigation privilege also includes this concept of the ‘litigation being in 
contemplation’ — the guidance should adress to what extent does this apply to DSARs? Should both the 
controller and the data subject be aware that litigation may arise as a result of the information contained 
in the DSAR or can the fact that one party may be considering it be enough to warrant a restriction of 
access? My firm would particularly benefit from some very specific examples as opposed to the principle- 
based approach that seems to be taken. | would appreciate some anonymised examples from past cases 
where redactions have been removed and/or applied. Another area that has proved a difficult conflict in 
the past, is the ‘serious harm’ test which is, practically speaking, vaguely unworkable when applied to 
third parties. To what extent can a controller request a doctor’s note about a third party’s mental state 
when they have no strict legal basis (from Article 9 GDPR as it would be classed as special category 


data) to access a note from a third party’s doctor? This reliance on a medical professional could perhaps 
aet in the wav af camman sense Far instance where vail are dealing with a reaiiester who has allanedliv 


Q3 


Does the draft guidance contain enough examples? 
©) Yes 
© No 
©) Unsure / don't know 


If no or unsure/don’t know, please provide any examples that think should be included in 
the draft guidance. 


See answer to Q2 above — | think more practical examples regarding email correspondence within 


organisations should be included as this, from my experience, is likely the most common type of source 
used in DSAR responses. 


Q4 


We have found that data protection professionals often struggle with applying and 
defining ‘manifestly 


unfounded or excessive’ subject access requests. We would like to include a wide 
range of examples 

from a variety of sectors to help you. Please provide some examples of manifestly 
unfounded and excessive 

requests below (if applicable). 


Where the requester is asking for every email containing their personal information 
over the course of their employment. I think it should be a pre-requisite of all DSAR 
requests that the controller is allowed to ask the requester what they are attempting 
to achieve by making the request. I understand that the right of access should not 
be impeded but think that perhaps the 30-day countdown should not start until the 
requester had given a reason for the request. This can be broad if the request is 
intentionally broad. But I think it would minimise the number of requests made just 
to cause an issue for compliance teams in organisations. 


Q5 Ona scale of 1-5 how useful is the draft guidance? 


1-Notatall 2-—Slightly | Moderately 4-Very 5-Extremely 
useful useful useful useful useful 


Q6 Why have you given this score? 


While it provides useful incite into the right of access and the reasons for it as well 
as how it is applied in practice, I am still left with questions on how to best serve 
requesters. I think the guidance should be updated with a view from previous 
complaints/queries the ICO has received regarding the right of access should be 
incorporated. Many times, when my team has undertaken a redaction exercise we 
are often left referring to the guidance but not quite finding the answers we are 
looking for. I think it needs more practicality and examples of how you've 
interpreted the word of the Data Protection Act as opposed to just reciting it. 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Neither agree Strongly 
disagree Disagree nor disagree Agree agree 


© 


Q8 


Q9 


Please provide any further comments or suggestions you may have about the draft 
guidance. 


The wording is clear and both the layout and structure are methodical. 


Are you answering as: 

O An individual acting in a private capacity (eg someone providing their views as a member of the public) 
© An individual acting in a professional capacity 

C) On behalf of an organisation 

() Other 

Please specify the name of your organisation: 


What sector are you from: 
Legal 


Q10 How did you find out about this survey? 
©) ICO Twitter account 
(|) ICO Facebook account 
©) ICO LinkedIn account 
© ICO website 
©) ICO newsletter 
C) ICO staff member 
C) Colleague 
©) Personal/work Twitter account 
(`) Personal/work Facebook account 
() Personal/work LinkedIn account 
O Other 
If other please specify: 


